Splunk today is IPv4 subnet aware so that if you do a search with something like ip_address = 10.0.0.0/24 .. splunk knows to look for items 10.0.0.0 thru 10.0.0.255 ... NICE ! Now what about IPV6 ... I think the answer is No. my question is when or how can this be done
example IPv6_ADDR = 2001:54FF::/48 would look for a whole lot of stuff but something like 2001:54FF:: to 2001:54FF:0000:FFFF:FFFF
And this gets instresting as you can show the first part of the IPV6 address as 2001:54FF:0000:0000 or 2001:54ff:: or 2001:54ff:0000::
It depends on what the system sending the log spits out ...
This search shows the problem.
| stats count | eval ips="2001:54FF:0000:ffff:ffff:ffff:ffff:ffff,2002:54FF:0000:ffff:ffff:ffff:ffff:ffff,2003:54FF:0000:ffff:ffff:ffff:ffff:ffff" | rex field=ips "(?P[^,]+)" max_match=0 | mvexpand ip | table ip | search ip=2001:54FF::/48
Splunk currently does not support ipv6 CIDR searching.
BUT, because you are searching for a /48, these both work:
| stats count | eval ips="2001:54FF:0000:ffff:ffff:ffff:ffff:ffff,2002:54FF:0000:ffff:ffff:ffff:ffff:ffff,2003:54FF:0000:ffff:ffff:ffff:ffff:ffff" | rex field=ips "(?P[^,]+)" max_match=0 | mvexpand ip | table ip | search ip=2001:54FF:*
| stats count | eval ips="2001:54ff:0000:ffff:ffff:ffff:ffff:ffff,2002:54FF:0000:ffff:ffff:ffff:ffff:ffff,2003:54FF:0000:ffff:ffff:ffff:ffff:ffff" | rex field=ips "(?P[^,]+)" max_match=0 | mvexpand ip | table ip | search ip=2001:54FF:*
As you can see, the capitalization does not matter.
opps was a bit off this FFFF:FFFF in the that post that address should be 2001:54FF:0000:ffff:ffff:ffff:ffff:ffff
got tired of typing ffff I guess.